CVE-2021-27103

CVSS 9.8 CRITICALEPSS 11.4%● KEVCWE-918

In short

Accellion FTA versions up to 9.12.411 have a flaw where attackers can send specially crafted requests to make the server access internal systems or services it shouldn't. This allows hackers to bypass security boundaries and potentially steal sensitive data.

Technical detail

SSRF vulnerability in Accellion FTA ≤9.12.411 via POST requests to wmProgressstat.html endpoint. Unauthenticated remote attackers can forge server-side requests to internal resources, potentially accessing restricted systems or metadata. Fixed in FTA 9.12.416+.

Summary generated and translated by AI from the official description.

Accellion FTA 9_12_411 and earlier is affected by SSRF via a crafted POST request to wmProgressstat.html. The fixed version is FTA_9_12_416 and later.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/accellion/CVEs/blob/main/CVE-2021-27103.txt https://www.accellion.com/products/fta/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-27103